A new survey highlights what application security professionals view as the top security risks related to Application Programming Interfaces (APIs).

The 2023 SANS Survey on API Security, released by Akamai Technologies, Inc., found that less than 50% of respondents have API security testing tools in place and 29% have API discovery tools. The report also finds that taking advantage of API security controls that are included in DDoS and load balancing services is "an underutilized area” with 29% of respondents reporting using these features.

Akamai partnered with the SANS Institute on the survey which was conducted in the first quarter of 2023 to determine enterprise awareness, readiness and future plans for dealing with API security risks. The 231 global respondents were primarily application security professionals.

Modern applications increasingly use APIs to capture business processes and break them into the communications required to efficiently enable business partners and customers to work with an organization.

Survey participants ranked phishing (38.3%) and missing patches (24%) as the top two API security concerns. These were followed by exploitation of vulnerable applications/APIs (12%) and accidental disclosure of sensitive information (9.1%).

Other key report highlights

  • 62% of respondents are using web application firewalls as part of API risk mitigation.
  • 57.1% of respondents reported API inventory accuracy of between 25% and 75%.
  • Most respondents cited the OWASP (Open Web Application Security Project) Application Security and API Top Ten lists, and the MITRE ATT&CK Framework as the basis for defining application and API risk.
  • 76% of survey takers reported training development staff on application security.